We’ve spotted an uptick in a particular type of threat hitting Twitter uses in Japan. We call this threat the “browser crasher” after what it does: it causes the browser to “hang/crash”. To do this, the user has to be lured to visit a particular site with the JavaScript code. So long as the browser tries to open that site, the user will be unable to browse websites normally.

How is this attack conducted? In this particular case, users were lured to the site using various Twitter messages. The messages of the tweets varied: some said the site was interesting, while others explicitly warned users not to click on it.

Twitter posts leading to “browser crasher” page

Whatever the case, once users ended up on the site they would get the following popup on any JavaScript-enabled browser (which is to say, just about any browser on any operating system), like this iPhone:

Pop-up on iPhone

The message in Japanese tells users that they will not be able to get off the page, no matter what they do. Clicking the OK button will not be enough to get rid of the pop-up, as a new one will appear with exactly the same message. This pop-up will keep bothering the user and stop them from using the browser until they are able to get off the offending page.

What the JavaScript does is actually quite simple. The JavaScript within the site contains the code to create a pop-up, as seen above. However, this code is placed inside an infinite loop – as soon as the user closes one alert, the code triggers again and opens another pop-up in a never-ending cycle that continues as long as the site is open.

We showed this in a mobile browser because a majority of Twitter users – 60 percent in the US, and 80 percent in the UK – access Twitter via mobile devices, so it is quite likely that they would go to this site on a mobile device. This script does not download any malware onto the device; all it does is produce these pop-ups.

If you have ended up on this site, you can stop these alerts by closing the window or tab where this site was opened. For desktop browsers, this is not too difficult. Because many mobile browsers reopen any pages the user had open the last time they used the browser, this may be more difficult on those devices. One way to get around this is to turn on airplane mode, restart the phone, open the browser, and close the tab in question.

In 2011, an attacker used this technique to knock a Japanese chat site offline. The attacker compromised the site and added the JavaScript code necessary to do this to the site, effectively knocking it offline. This attack may seem innocuous, but aside from annoying users it can have real-world consequences. (The Japanese police took a rather dim view of this incident, tracking down the person who launched this 2011 attack and arresting him.)

This URL was first seen last year, but we only saw tweets leading to it earlier this month, with hundreds of tweets linking to it as of last week. There was nothing in this attack save for its social engineering that limited its scope to Japanese users – it would not have been difficult to create bait that would work as well for users elsewhere. It may not have used up anything other than the patience of users, but it’s still a useful reminder that many links in social media – even “interesting” or viral ones – can be potentially risky.

With additional analysis from Threats Analyst Yoshikawa Takashi.

Share this article

This entry was posted
on
Tuesday, March 26th, 2013
at
12:59 am and is filed under
Social .
Both comments and pings are currently closed.